[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [Full-disclosure] BASE - 3 Persistent Cross Site Scripting
From: Jabra <jasbro7 () gmail ! com>
Date: 2009-05-31 3:21:33
Message-ID: f5cb97050905302021w6d80f255h3070457ae56b340a () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
BASE, a well known Snort Frontend has 3 Persistent Cross Site Scripting
Vulnerabilities.
For those who don't know, Cross-Site Scripting allows the attacker to inject
Javascript to modify the functionality of the webpages. Since this
vulnerability exists in BASE, this allows an attacker to drop alerts(all of
them or specific alerts), modify user information including passwords,
modify the configuration of BASE and many other tasks. The only limitation
is the attacker's creativity.
The vulnerabilities exist in pages that use the information from 3 different
components of BASE including: alert groups, roles and user information.
For creating a user, the name field was found to be vulnerable. For the name
field, I just injected Javascript and it was rendered!
For creating an alert group, we just need to include a closure for the html
by using "> and add our Javascript afterwards. This causes the page that
loads the name, to close the html and execute our Javascript! This is due to
html encoding being used on the page.
For creating a role, both the name and the description field were
vulnerable. The name field was limited to a specific number of characters.
To verify I just injected XSS and verified it rendered properly. The
description field was just straight Javascript.
Screenshots can be found at:
http://www.spl0it.org/blog/index.php?entry=entry090530-212022
Regards,
Jabra
[Attachment #5 (text/html)]
BASE, a well known Snort Frontend has 3 Persistent Cross Site Scripting \
Vulnerabilities.<br><br>For those who don't know, Cross-Site Scripting allows the attacker \
to inject Javascript to modify the functionality of the webpages. Since
this vulnerability exists in BASE, this allows an attacker to drop
alerts(all of them or specific alerts), modify user information
including passwords, modify the configuration of BASE and many other
tasks. The only limitation is the attacker's creativity.<br><br>The vulnerabilities exist \
in pages that use the information from 3 different components of BASE including: alert groups, \
roles and user information.<br> <br>For
creating a user, the name field was found to be vulnerable. For the
name field, I just injected Javascript and it was rendered! <br><br>For
creating an alert group, we just need to include a closure for the html
by using "> and add our Javascript afterwards. This causes the page
that loads the name, to close the html and execute our Javascript! This
is due to html encoding being used on the page.<br><br>For creating a
role, both the name and the description field were vulnerable. The name
field was limited to a specific number of characters. To verify I just
injected XSS and verified it rendered properly. The description field
was just straight Javascript.<br><br><br>Screenshots can be found at:<br><br><a \
href="http://www.spl0it.org/blog/index.php?entry=entry090530-212022">http://www.spl0it.org/blog/index.php?entry=entry090530-212022</a><br><br>
Regards,<br>Jabra<br>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic